Wednesday, December 20, 2017

A handy trick for proxying HSTS sites in Chrome

TL;DR: Chrome has a nifty undocumented trick that makes proxying so much more useful when testing sites using HSTS or pinned certs: where the security warning screen doesn't give you an option to ignore, type "badidea" to continue anyway.

Browser makers have been raising the bar when it comes to website security, gradually moving toward a state where insecure websites stand out like a sore thumb. The result has been a steady increase in the proportion of websites that safeguard your private information while in transit between you and the web server. Google's Chrome in particular makes it especially challenging to use badly secured websites, with a variety of warning messages such as the image above.

In the example above, the website in question has enabled HTTP Strict Transport Security, or HSTS, which tells browsers that it should only be accessed over a secure channel, and so to always use HTTPS. Essentially, the website tells browsers "don't ever come here again except over HTTPS."

In this case, the warning is slightly misleading: I am browsing to the site over HTTPS, but using a proxy to inspect what I am sending to the website. The proxy feature of Burp Suite allows me to send information to a secure website, but to catch and decrypt it before it leaves my computer, to see exactly what my browser is sending.  

As a penetration tester or vulnerability researcher, it is very handy for making sure an application is not sending more data than I intend. It is also very handy for probing an application for data leaks and weaknesses. In this scenario, Chrome's helpful protection is less, well, helpful.

Thankfully, Google developers included an undocumented Easter Egg: typing the phrase "badidea" while that warning is on the screen, will clear the warning and proceed to the website.

A note to readers: this is a handy trick for researchers and penetration testers. Generally though, that warning is there for a reason. If you unexpectedly see a warning that your connection is not private - your connection is not private. If you are not intentionally man-in-the-middling your connection, the warning likely means either the website or your network is compromised. The technique I use for testing web applications is the same technique used by malicious hackers to eavesdrop when you connect to an "evil twin" hotspot mimicking the legitimate connection provided by your coffee shop or airport.

The moral? Unless you know what you are doing, bypassing Chrome's privacy warning is, well, a bad idea.

Thursday, November 30, 2017

Private data in public places

Professional social engineer and open source intelligence expert Stephanie "@_sn0ww" Carruthers makes a living out of (mis)using what people and companies share publicly, so when she talks I listen. Her talk at the Lonestar Application Security conference in October was captivating in showing how such information can be used to infiltrate a business (in her case, for the purposes of showing the business their weaknesses and how to defend themselves against someone with actual malicious intent). She made an observation this week that sparked some lively discussion:

Don't leave your resume public on google docs.

Monday, November 27, 2017

Be sure to deregister Amazon devices purchased as gifts

Buying Amazon devices as holiday gifts? Be sure to deregister them from your account!

Now that post-Thanksgiving shopping is in full swing, here's a brief tip for those purchasing Amazon gadgets as Christmas gifts: if you are giving an Amazon Device to someone outside your household, take a moment to deregister the device from your Amazon account. Otherwise you may inadvertently give more gift than you bargained for.

Amazon devices ship pre-connected to the purchaser's account -- and thus to the purchaser's payment settings. This is the the case for Fire TV devices; it may also be true for Fire tablets and Echo voice control devices. Straight out of the box, an Amazon Fire TV device can purchase digital media and games, billed to the original purchaser of the device.

I actually like this user experience decision: it is quite consumer-friendly, making it simple to unbox it, plug it in, and immediately start using it. Sure there's a potential abuse case here: a device stolen out of the mailbox could be abused to make digital purchases billed to the rightful owner - but those purchases are still tied to your account, not to the device, so there's no transferable value to the thief*. On top of that the purchaser gets a notification as soon as the device is first activated, limiting the window to make fraudulent purchases. And of course fraudulent purchases can be disputed and reversed.

This leads to another tip: where possible use a low-limit credit card, or a prepaid debit card, for any online accounts. That way any fraud is with the bank's money and not yours. A debit card is tied directly to your bank account, meaning fraud immediately hits your cash balance. Sure, you'll get fraudulent transactions reversed and the money back. Eventually. But eventually doesn't help if the rent is due today.

*Digital media is not transferable. However, some apps feature in-app shopping, suggesting it may be possible for a mail thief to plug in a Fire TV and purchase physical items for delivery. Alexa voice commands theoretically would allow for purchasing hard goods independent of any app features.

Thursday, November 9, 2017

IR Toolkit

In 20 years of systems administration and incident response, there are a handful of tools I find myself coming back to over and over again. Naturally, the SysInternals suite is on the list, along with Wireshark and Didier Stevens PDF tools. I've also included portable installations of Python Some are useful for examining a system, others are useful for examining a suspicious file or attachment. So... I started a GitHub project to document my favorite free and/or open-source tools.

I'll bet my readers have some of their own favorites: by all means, please comment below, or submit a pull request on GitHub, and I'll update the list!

Tuesday, October 10, 2017

Exploiting Office native functionality: Word DDE edition

Sensepost researchers show a way to exploit DDE to run code from Word, without macros or buffer overflows. Here's how to detect it.

Updated 20 October: Added a note regarding enabling full command line logging for process creation events; added a note clarifying that "Creator Process Name" is only recorded in Windows 10 and Windows Server 2016. Older versions of Windows record the creator process ID but not the process name; added references to a variety of exploitation techniques found by other researchers or seen in the wild.

Updated 11 October: I originally wrote that this exploit technique bypassed both disabled macros, and Protected View. That is incorrect: this technique will work if macros are disabled, but the code does not trigger while in Protected View. Thanks to Matt Nelson (@enigma0x3) for pointing out my mistake.

I love reading exploit techniques that rely on native features of the operating system or common applications. As an attacker, I find it diabolically clever to abuse features the target fully expects to be used and cannot turn off without disrupting business. As a defender, I am intrigued by the challenge of detecting malicious use of perfectly legitimate features.

Researchers Etienne Stalmans and Saif El-Shereisuch of Sensepost wrote of a slick way to execute code on a target computer using Microsoft Word - but without the macros or buffer overflows usually exploited to this end. Instead, they use dynamic data exchange, or DDE - an older technology once used for coding and automation within MS Office applications. This is particularly clever because it works even with macros disabled - because it's not using the macro subsystem.

Thursday, October 5, 2017

Enable two-factor on your Yahoo account... if you can

Yahoo! accounts have very different security options depending on their origin.
Unless you've been living under a rock, you know by now that Yahoo! suffered a massive data breach in 2013. The number of accounts reportedly affected changed a number of times, until this week it announced that every single account had been compromised. All 3 billion of them.

Zack Whittaker, security editor for ZDNet, had this to say:

Secure your Yahoo account with 2FA, but do not delete it. Deleting it will recycle your account after 30 days — and anyone can hijack it.

That's good advice - if you can. Many cannot.

Monday, October 2, 2017

Seven steps to minimize your risk of financial identity fraud

Credit Card Fraud spelled out using Scrabble tiles

This is one of a few Security for Real People blog posts routinely updated once or twice a year, to offer up-to-date advice to consumers and small businesses as threats evolve over time. The recent Equifax breach has put most Americans at a higher risk of identity fraud and is a good reason for an update.

How many times have you replaced your credit or debit card after the number was stolen?

Now how many of those times did you suffer actual harm due to the fraud?

Credit card fraud is frequently in the news - perhaps less now than it was a few years ago, but it still remains a hot topic. Between Sonic, Sabre, Target, The Home Depot, Sears/Kmart, Dairy Queen, Wendy's, Cici's Pizza, Goodwill - the list of businesses whose payment systems were breached to steal card numbers goes on and on.

In a widely-circulated news story in late 2016, researchers at UK's Newcastle University discovered a way to collect Visa card numbers without breaching a merchant. Generally speaking, a card number cannot be used online without also knowing the expiration date and the 3- or 4-digit code on the back. Visa's payment network will block repeated attempts to guess the expiration and security code coming from a merchant - but does not detect guessing attempts spread out across many merchants.

The result is, by automatically and systematically generating different versions of security data for a card number, and trying the different combinations across thousands of merchant websites, a malicious hacker can successfully guess the correct combination of account number, expiration date, and security code in just a few seconds.

So what can you do to take credit card fraud off the top of your list of worries?

Tuesday, September 19, 2017

Incremental wins: iOS11 strengthens the idea of Trust

Two years ago, a friend piqued my curiosity with a question about a iPhone / iPad app teenagers were using to hide content from nosy peers (and parents). This person wondered whether the app was more than "security by obscurity" - did the app actually protect and encrypt the hidden data, or did it merely hide it out of obvious sight?

The answer turned out to be the latter, but along the way I noticed a curious oversight in the iOS security model.

Monday, September 18, 2017

Avast download site compromised to host a malicious CCleaner

If you downloaded "CCleaner" software from antivirus company Avast between August 15 and September 12, you have a problem. Cisco's Talos threat research group discovered that company's software download page was compromised to host a malicious version of CCleaner that contains malware.

Computers that downloaded and ran that software became part of a botnet, a network of computers under the control of whomever is behind that malware.

Those that follow my advice to use the free OpenDNS service for their home networks are partially protected - your computer would still download and install the malware, but would be prevented from accessing the command and control servers the criminals use to deliver instructions to your computer.

If you use CCleaner, check your antivirus software to be sure it is completely up-to-date, and run a full system scan. Now that the malware is known, most commercial antivirus programs will begin to detect it (with varying degrees of success).

I have long recommended automatically updating software with the latest available patches and updates, as a core tenet of basic security for individuals and small businesses. After a Ukranian software company was hacked to deliver malware to taxpayers in that country, I wrote up an analysis of why I still held that recommendation. 

I said then:
In over twenty years as a systems administrator and security professional - much of that time overseeing patching for a Fortune 100 company with a quarter million systems to update - I can count on one hand the number of catastrophic failures caused by patching, and still have fingers left over. Conversely, hardly a month goes by that I don't see malware and criminals exploit vulnerabilities in Windows, browsers, office productivity software, mobile apps, building automation systems, industrial control systems, and other computing software.
It is becoming increasingly difficult to maintain that position... I suspect I am up to two hands now, but for the time being, I still find quickly updating is less risky than not patching.

Thursday, September 14, 2017

A change of scenery for this security engineer

If you are looking for a seasoned infosec architect with red team skills, or know someone that is, take a few seconds to read on. I am currently in Austin, Texas, but could be talked into relocating for the right opportunity.

Who am I? An incident responder, a log correlation junkie, a malware analyst, a forensic investigator, a threat intelligence handler (real intelligence, not the threat data often thrown under that label), a network engineer, and a security architect. I break and fix things, so I can stop others from breaking or detect them when they do.

Having recently found myself on the wrong side of a "reduction in force," I now have a chance to build security for you.

I'm a dyed-in-the-wool defender. I have some red team skills (and a few CVEs to my credit), but those skills just make me a better defender and detector. My ideal job is building systems and automation to detect and triage incidents, and to find and address risks before they become incidents. It's what I've done for the better part of 20 years.

I've built security from the ground up for a mid-sized company you may not even know works for you. I ran vulnerability scans and assisted SMEs with prioritizing patching versus business priorities, and with coming up with mitigating options when patching was not immediately advisable. I built the company’s incident response program, then drilled it with a simulated data breach. I designed a log management strategy, enriched logs with open-source and company-specific context, and built a SIEM with open-source software to correlate events and highlight potential incidents.

Prior to that, I spent 20 years with a Fortune 50 enterprise. The early years were Windows and *nix system administration, along with switch, router and firewall administration, while from 2001 on it was a variety of direct security roles - primarily network defense; intrusion detection, triage and incident handling; risk assessment and threat intelligence. 

Friday, September 8, 2017

Equifax breach exposes 143 million to identity fraud

Updated to add a link to Equifax's official incident response website, . Fake sites and phishing email are already appearing, by criminals attempting to deceive and defraud worried consumers. Also updated to add a comment about identity theft potentially leading to tax fraud.

This breach is likely to be in the news for a while, and the effects will linger long after the media moves on.

Between mid-May and the end of July 2017, criminals accessed sensitive information on a website owned by financial credit reporting bureau Equifax. According to the company, personal information for approximately 143 million US consumers was compromised. An undisclosed number of Canadian and UK residents were also affected. This being a credit bureau - a company whose primary business is keeping track of consumers' financial identities - the information stolen was significant: social security numbers, birth dates, and addresses. In some cases, driver's licenses, credit card numbers and specific details related to dispute documents were also compromised.

For perspective, 143 million is more or less the same number as every working-age human in the United States.

I do not plan on going into how it happened - Brian Krebs did an excellent job of that. My goal is to provide my readers with advice on what to do now.

Monday, August 28, 2017

In the wake of Hurricanes Harvey and Irma, be alert for relief scams

Gulf of Mexico radar image August 24, credit NOAA

Update 30 August 2017: the Federal Trade Commission is reporting scam robocalls telling victims their flood insurance premiums are past due, and demanding immediate payment in order for their Hurricane Harvey damages to be covered. Don’t do it. Instead, contact your insurance agent.

Update 11 September 2017: everything said of Hurricane Harvey in Texas is equally true of Hurricane Irma in Florida and Georgia.

This is a blog post I do not enjoy updating after each major natural disaster, but alas where there is disaster, there are lowlifes looking to profit from it.

August 25, Hurricane Harvey hit the middle Texas Coast as a major hurricane, packing sustained 130 mph winds. It then camped out in southeast Texas, dropping heretofore unheard of amounts of rain along a path from east of Austin, to the Houston metro area. 

Two weeks later, Hurricane Irma trashed the Caribbean before running up the west coast of Florida, again bringing widespread wind damage and flooding to much of that state and its neighbors.

As appalling as it is, major internationally-publicized disasters such as this invariably are followed by "cyber opportunists," criminals who take advantage of the publicity for their own nefarious gain. Two common methods are fraudulent requests for assistance, and malware-laden websites using search engine optimization to appear high in search results for news on the events of the day.

Tuesday, June 27, 2017

To Patchnya, or Not to Patchnya

Heads-up: there's another ransomware worm making the rounds. Initially thought to be a variant of the Petya ransomware family, it was later determined to be something entirely different, and has been dubbed "NotPetya" in many tweets and reports.

Like the WannaCry worm that made such a splash in May, it exploits a (now-patched) vulnerability in the Windows file sharing protocol known as SMB. Unlike WannaCry, it also harvests credentials from compromised systems, then uses standard Windows administration tools such as WMIC and psexec to spread within an organization.

Wednesday, May 24, 2017

Samba remote code execution exploit: what you need to know

This is going to hurt home users with Samba shares mounted on their SoHo routers or NAS, among other things. 

Samba is a file sharing service for Linux, similar to Windows SMB file shares (yes, the same SMB that was exploited in the recent WannaCry ransomware worm). A vulnerability in Samba could enable a similar attack on Linux systems. A malicious actor with access to upload files to a Samba share, can upload malicious code and then use this vulnerability to cause the server to execute it.

Unlike SMB, Samba exists on a wide variety of systems from different makers - servers, laptops, home routers, network storage systems, media servers, and many IoT devices. And unlike Windows, those devices may not automatically install an update - even if the manufacturer provides one. 

A quick query of Internet scanner Shodan shows that nearly a half million devices running Samba are publicly accessible on the Internet. Interestingly, the large majority of those appear to be in the United Arab Emirates, leading one to wonder if Emirates Telecommunications Corporation is equipping its customers with a gateway router that has Samba enabled by default.

What can you do?

Update Samba

The best course of action is to update Samba to a non-vulnerable version (4.6.4 or newer; 4.5.10 or newer; or 4.4.14 or newer, according to the Samba Project advisory).

For most IoT devices, you are likely dependent on the manufacturer to release a firmware update that includes this fix.

Disable writable shares

This vulnerability can only be exploited using shares that allow uploading or writing files; read-only shares cannot be exploited.

Disable "named pipe endpoints" in your Samba config file

Similar to the way port numbers allow multiple layer 4 connections to the same layer 3 network address, named pipes allow multiple layer 5 (SMB) connections to the same layer 4 port (TCP 445). This is also the feature that can be exploited due to this vulnerability. Disabling named pipes prevents exploitation, though it may also disable expected functionality in some cases.

To disable named pipes, add the parameter:

nt pipe support = no

to the [global] section of your smb.conf file and restart smbd. You can modify smb.conf on a couple of IoT devices as follows:

Double-check that Samba is not exposed to the Internet

  • Browse to to check your public Internet address
  • Browse to and search for your address. You do not want to see the following - if you do, you'll need to check your router or firewall and disable public (or WAN) access to port 445:

Friday, May 19, 2017

Hit by WannaCry? It may also be a HIPAA breach

Ransomware is a common form of malware, designed to encrypt personal and business data, making it unusable unless the victim pays a "ransom" fee to the attacker to purchase the recovery key. It most often affects one person at a time, delivered by email or a malicious web browser download. 

Beginning May 12 however, the "WannaCry" or "WannaCrypt" ransomware spread rapidly by exploiting a flaw in the Windows operating system -- a flaw patched by Microsoft in March, but that nonetheless remained exposed in many organizations that had not yet updated their systems.

Under guidance issued by the US Department of Health and Human Services (HHS) last summer:
The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule.

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414. 

The HHS ransomware fact sheet (PDF download) includes the following Q&A:

Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule. Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including accordance with HIPAA breach notification requirements.

How can covered entities or business associates demonstrate “…that there is a low probability that the PHI has been compromised” such that breach notification would not be required?

To demonstrate that there is a low probability that the protected health information (PHI) has been compromised because of a breach, a risk assessment considering at least the following four factors must be conducted: 
  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
  2. The unauthorized person who used the PHI or to whom the disclosure was made
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated. 
A thorough and accurate evaluation of the evidence acquired and analyzed as a result of security incident response activities could help entities with the risk assessment process above by revealing, for example: the exact type and variant of malware discovered; the algorithmic steps undertaken by the malware; communications, including exfiltration attempts between the malware and attackers’ command and control servers; and whether or not the malware propagated to other systems, potentially affecting additional sources of electronic PHI (ePHI). Correctly identifying the malware involved can assist an entity to determine what algorithmic steps the malware is programmed to perform. Understanding what a particular strain of malware is programmed to do can help determine how or if a particular malware variant may laterally propagate throughout an entity’s enterprise, what types of data the malware is searching for, whether or not the malware may attempt to exfiltrate data, or whether or not the malware deposits hidden malicious software or exploits vulnerabilities to provide future unauthorized access, among other factors

Friday, May 12, 2017

Ransomware now comes in worm flavor

If you have SMBv1 in your enterprise, and haven't completed deploying MS17-010 (released in March), now would be a good time to expedite that. Multiple news outlets are reporting a widespread outbreak of the "WannaCry" ransomware. 

Ransomware is malware that encrypts all the data on a computer, holding it hostage until the victim pays a ransom fee. This particular attack is especially insidious because it acts as a "worm" - it spreads from computer to computer on its own, without any interaction from users.

The saving grace is that the vulnerability it exploits to spread, was fixed by Microsoft in March. Most home users are safe because Windows Updates apply automatically (yes, it's annoying to have a computer reboot when you do not want it to, but today you are thanking your lucky stars).

Some reports of note:

CCN-CERT, the computer emergency response team for Spain, first issued a warning (in Spanish) of this outbreak Friday morning.

Spanish telecommunications company Telef√≥nica reported (in Spanish) that they too have been affected.

The British Broadcasting Company has a running commentary on effects in the UK, and specifically the effects on the National Heathcare Service of the UK.

The Register reports that UK hospitals have effectively shutdown, and are not accepting new patients.

Global delivery company FedEx reported that it has been affected, but has not specified what locations or if deliveries have been interrupted. At least one FedEx customer reported Customer Service being unable to provide support due to server outages.

What can you do:

Home users by and large are not affected by this. If you follow the basic steps I recommend in (in particular, setting Windows to automatically install updates), Windows lomng ago installed the patch to protect you from this worm.

For corporate and small business readers:
  • Block TCP 445 and 135 inbound from the Internet
  • Install MS17-010 everywhere. Note that the April and May cumulative updates for Windows include this patch
  • Kill off SMBv1. SMB version 1 is a 30-year-old protocol that has outlived its usefulness. Every modern operating system - including all supported Windows variants, MacOS and OS X, and the Samba product for Linux file sharing, supports the newer v2 and v3 versions.

    SMBv1 can be disabled by creating or editing the following value in the Windows Registry:

    Name: SMB1
    Type: DWORD
    Value: 0

    Then run the following command to disable SMBv1 on the client side:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
    sc.exe config mrxsmb10 start= disabled

  • Block client-to-client SMB (TCP 445) traffic. Generally speaking, laptops don't need to map file shares of other laptops. Blocing lateral SMB traffic prevents this malware from spreading laptop-to-laptop. Then focus on patching your domain controllers and enterprise file servers - which genuinely do need to share services on TCP 445.
  • Run Windows Firewall and block inbound TCP 445 connections when on an untrusted network (public WiFi, for example).

Friday, May 5, 2017

Hacking the SIEM

Day 1 of Security B-Sides Austin is in the books. One talk in particular stuck with me: "Hack the SIEM" by John Griggs of Meta Studios, Inc.

Your SIEM is an aggregation of lots of data about your company - it contains information about endpoints, network controls, detective capabilities, and incidents. To an attacker, it is a gold mine of recon.

John brought up a different point, one I had not considered: your Security Information and Event Management system, or SIEM, may also be the single pane of glass that your SOC relies on. If an attacker doesn't show up in the SIEM, your SOC may not be aware of the incident - even if the originating network control is squawking at the top of its lungs.

Ergo, an attacker doesn't have to cover all of its tracks - they only need to stop their actions from showing up in the SIEM. Sure, original logs will show the attacker's trail in the post-mortem, but depending on their objectives, avoiding real-time detection may be all the attacker needs.

Is your SIEM locked down to prevent it from being used and abused by an attacker?

Tuesday, April 18, 2017

A letter from the IRS

Fraudsters may have viewed information appearing on your federal tax return. Information viewed may include: type of tax return filed, type and amounts of income reported, income tax, untaxed pensions, untaxed individual retirement account distributions and payments, exemptions, and education credits.

This weekend I had the dubious pleasure of reading a letter that begins with these two paragraphs.

In March, the Internal Revenue Service removed a Data Retrieval Tool from its website, a tool used by many families to retrieve income and tax information necessary to fill out the Free Application for Financial Student Aid, but also a tool that had been compromised by criminals to obtain personal information on some 100,000 taxpayers.

According to a story by Brian Krebs, the Data Retrieval Tool was intended as a way for students who may not have ready access to their parents' tax returns, to look up the parents' Adjusted Gross Income - a key figure used by colleges and universities to determine how much and what forms of aid to award enrollees.

The letter from the IRS though suggests far more information could be accessed through the Data Retrieval Tool though.
"Fraudsters may have viewed information appearing on your federal tax return. Information viewed may include: type of tax return filed, type and amounts of income reported, income tax, untaxed pensions, untaxed individual retirement account distributions and payments, exemptions, and education credits."
The IRS has arranged for credit monitoring, identity theft insurance, and "other services that will allow you to monitor your personal accounts." A possible interpretation of this letter is, the attackers could see complete federal tax returns rather than just the income information intended to be accessed through this tool. I have no inside knowledge of what was truly exposed. I am only reading between the lines based on what the IRS stated in their letter.

Depending on exactly what was exposed, "IRA distributions" could include not only the dollar amount but also the financial institution and account numbers. IRS form 5498 ("IRA Contribution Information," which your financial institution provided to the IRS) includes a field for your account number. In other words, a tax return has more than enough information for a scammer to convincingly impersonate you to your bank, to social engineer bank personnel into granting them access to bank accounts.

What can you do?

If you are affected by this data breach (or any breach of personally identifying information for that matter), here are a few things you can do:

  1. Take advantage of the credit monitoring offered by the IRS. Stolen identity information can be used to open new credit accounts in your name, and as far as the lender is concerned, you are on the hook. Credit monitoring alerts you to such new accounts quickly, giving you a chance to do something about it before the crook runs up debt.
  2. Place a Fraud Alert or Security Freeze on your credit report. In truth, every US consumer should do this, whether or not you are the victim of identity theft. A Fraud Alert tells potential creditors to take extra care in verifying your identity before issuing credit. Generally that means the creditor will call you at the phone number you provide in the fraud alert. While it is not mandatory, it is in the creditor's best interest since by US law they are on the hook for fraudulent credit.

    A Security Freeze, on the other hand, denies would-be creditors access to your credit report. They cannot view your credit history, and they cannot place new accounts on your credit report.
  3. Establish an IRS Identity Protection PIN (IP PIN). An IP PIN is essentially a password for your tax return. Crooks use taxpayer information to file fraudulent tax returns, claiming significant refunds. While the tax filing deadline for the 2016 calendar year just ended, tax fraud will undoubtedly spike again next February and March. With an IP PIN, a fraudster cannot file a return using your identity without also having that PIN.
  4. File early next year (and every year following). A criminal cannot file "your" tax return if you get there first.
  5. Call your bank: alert them to the possibility someone may try to impersonate you. Ask what options they have for extra protection. USAA just sent the below memo to all of its customers, extending multifactor authentication to telephone customer service. This is a fantastic idea: customers calling in for service (or scammers calling in to steal your money) will need an extra password sent by email or SMS. To my knowledge USAA is the only bank that offers this added layer of security, but I will be very happy to be proven wrong -- please comment below if you are aware of other banks that do this.

USAA is extending multifactor authentication to customer service calls.

Tuesday, March 28, 2017

Hackers threaten mass iCloud carnage: don't panic, but do enable 2FA

There have been rumblings in recent weeks (with varying degrees of credibility and/or paranoia) of several hundred million Apple accounts stolen by hackers, with a threat that the iPhones, iPads, and iCloud backups associated with these accounts will be deleted on April 7 unless Apple pays a ransom fee. The threat is that owners of those account could wake up to find all their pictures, all their files, all their data, deleted forever.

ZDNet's Zack Whittacker has a sane take on the matter: Apple has not been hacked, but people are prone to reusing the same passwords across all the apps and websites they use - many of which have been breached. ZDNet's analysis has found that not all the accounts the hackers claim to have compromised, are indeed compromised - but a not insignificant number are.

What you need to know:
  • If you haven't changed your Apple (aka iCloud) password recently (as in, within the last 6 months or so), it wouldn't be a bad idea to change it now. 
  • Use separate passwords for each account, so one stolen password doesn't put all your other accounts at risk.
  • Enable two-factor authentication on any accounts that matter to you, so a stolen password by itself isn't enough to break into your account and steal or delete your valuable data. Here's how to enable it on your Apple ID:

Friday, March 24, 2017

Why is this website impersonating the FBI-run InfraGard?

The real and fake InfraGard websites side-by-side

Can you tell which is the real InfraGard login screen?

InfraGard is a partnership between the FBI and private business, created to share information about threats. It consists of members from private business, state and local government agencies, state and local law enforcement agencies, schools and universities. Some of the information shared to members - while not classified - is also not entirely public.

The true web portal for InfraGard is -- the image on the left.

Someone created a pretty convincing replica of the real portal, at -- the image on the right. Other than a few outdated images, the only noticeable differences are that the replica domain name ends in .com instead of .org, and the replica is served over non-secure http instead of https.

Tuesday, March 21, 2017

Cisco's CIA Vault7 exploit in context

Cisco issued a security bulletin on March 17, disclosing a remote code execution vulnerability in the Cluster Management Protocol function of IOS and IOS XE software, affecting over 300 Cisco switches and routers. Through this vulnerability, remote attackers can take complete control of a network device.

Cisco discovered the flaw while going through the WikiLeaks "Vault7" documents believed to have come from the CIA, suggesting that the flaw has been actively exploited. Naturally, every tech writer on the planet has rushed in to write doom and gloom stories of mass exploitation.

Slow down just a bit.

Those following long-standing best practices for securing infrastructure hardware are not at risk. The vulnerability can only be exploited through the Telnet protocol, and requires access to the management interface of a switch. 

Telnet communicates with a remote device unencrypted - transmitting usernames and passwords, as well as commands and configuration details, in the clear where anyone listening can intercept them. All modern switches and routers support SSH, which serves the same purpose but with an encrypted connection.

Disable the Telnet service on your Cisco switches, restrict management to an isolated management network, and update the OS as soon as practical once Cisco issues a fix.

Carry on.

Wednesday, March 15, 2017

Facebook Messenger phishing scam

A phishing scam is using Facebook Messenger to spread, by telling your friends a video of them has gone viral.

Updated 20-March: My initial analysis was limited due to traveling without my laptop, and with unreliable data service. I've updated the post with a few additional domains to block, and to show the different behavior on mobile versus PC.

There’s a scam making the rounds on Facebook, making use of Facebook Messenger to spread. (Sysadmins, scroll to the bottom for a list of domains to block).

It starts when you receive a message from a friend, that simply says your name, with your profile picture designed to look like a preview of a video with hundreds of thousands of views. The implication is there is a “Facebook Video” of you that has gone viral.

Saturday, February 11, 2017

Quick and dirty malicious PDF analysis

Analyzing weird things forwarded by friends and family is a great way to keep my DFIR skills sharp.

Friends and family regularly send me things they find suspicious or weird. Sometimes it turns out to be malicious, and other times perfectly fine, but I'm always glad to know I've instilled a proper degree of skepticism in my friends.

My willingness to help has an ulterior motive: aside from the "herd immunity" that comes from helping those around me stay safe, analyzing weird things they see helps me keep my own skills sharp. It also can alert me to new or resurging threats, such as the Disney theme park scams so common around customary family travel periods.

Today's story is about a phish. A simple phish, but one with lots of red flags to call out, and that called to my attention some new features Google introduced in Chrome last month. As with many phish, this one begins with an email. Nothing fancy, just a brief memo that a voice message has arrived.

Wednesday, January 25, 2017

It's tax fraud season!

Tax season means tax fraud season. Here are a few common schemes to watch out for, along with tips to protect yourself from fraud.
1040 Individual Tax Return, by 401kcalculator. Used under license CC BY-SA 2.0

It's tax season. That means it is also tax fraud season. 

Early in the year is prime time for tax-related scams targeting both consumers and businesses. I see these start to appear around late December, but tax-related scams tend to peak in March. It makes sense that consumer scams would peak as the April 15 filing deadline approaches - but it's rather illogical that this is also true for business compromise. Employers, charities, and financial institutions are generally required to provide tax documents to consumers by January 31, so a successful business-oriented scam in March is a bit of a head-scratcher. Nonetheless, that's what the data show. 

What follow are explanations of some common tax-related threats this time of year, along with tips to protect yourself.

Tuesday, January 17, 2017

How to be your daughter's hero, DFIR edition

Not only is digital forensics useful in cybersecurity, it can make you a hero in your daughter's eyes!

Every now and then, my day job pays dividends at home. Shortly before Christmas was one such occasion.

My daughter (a foreign exchange student my family is hosting, but she quickly became a daughter to us) had just spent a weekend with a friend. The friend too was a foreign exchange student from the same country as my daughter, but was near the end of her exchange, and was soon to return to her their home country. My daughter had taken many pictures of their weekend together, and had uploaded them to the friend's computer.

As is commonly the default, uploading the photos to the computer also deleted them from her camera.

By the time she discovered that, the friend had already begun her trek home. Several gigabytes of photos are not hard to transfer over WiFi or with a flash drive ... it's a different story when all you have is a cellphone hotspot with a limited data plan, or a costly and rate-limited airport wireless service.

Much to my wife's chagrin I am a sucker for my daughters' pleas for help. That holds true whether from the daughters born to my family or the daughter we are hosting. Just about any dad would say the same. Fortunately, one doesn't spend twenty years in technology and digital forensics without learning a few tricks.